I present to you a 2016 tweet from The Grugq highlighting the significance of a CISO Moai head. The Moai emoji’s usage in infosec circles, especially with the "Mutton Crew" and CTI League, began with The Grugq as a playful but meaningful icon. Its symbolism reflects resilience and alertness within the threat intelligence and cybersecurity community. If you’ve followed the work surrounding the “Mutton Crew” / CTI League, you’ll understand the symbolism behind the Moai head. I’ll delve deeper into The Grugq’s background another time, but it’s worth noting his relevance here due to the connection he draws to gaming companies in the tweet below. Additionally, The Grugq is a member of the CTI League.
Below, The Grugq explains how someone like John Bye, formerly an economy designer at NaturalMotion Games and a supplier of Morpheme technology to Ubisoft titles such as Flashback (2013), could transition into gathering player data and from examining John’s timeline on X a fully active operative with the “mutton crew” / CTI League.
https://grugq.substack.com/p/spying-through-gaming
Which got me thinking... what if this was pursued as a deliberate strategy? It could work. People become deeply invested in games. Really emotionally attached to the experience. This attachment could be exploited to recruit people and manoeuvre them into disclosing confidential information. We know it works. War Thunder manages to collect classified information for in-game vehicles.
This seems like something that should be investigated. There are already OSINT investigation teams at some games studios. Teams at games with micro transactions game investigate their "whales" so they can craft custom items to sell them.
They could easily pivot; invest the same amount of time and effort into finding players who have access and then crafting scenarios to entice them to trade information for in-game rewards. It sounds far-fetched, but... War Thunder.
With the above in mind please consider that Ubisoft knew exactly what they were doing when you read the next few paragraphs.
The Illusion of Escape
You boot up your favorite single-player adventure, eager for a few stolen hours of private escape. But as the game world loads, what you don’t see is the invisible net tightening around you. Beneath the surface, every action, every mission, every pause, every secret discovered, is quietly observed and recorded, not just for fun or feedback but for a deeper, hidden purpose.
What if the world you trust to let you hide is the same world collecting everything it can, waiting for the right moment to use it?
Ubisoft’s Calculated Approach to Player Data
Recent revelations show that Ubisoft’s invasive data collection in single-player games was not just an oversight or technical limitation. It appears to have been an intentional business strategy. Despite no gameplay requirement, games like Assassin’s Creed Shadows and Far Cry Primal forced players online for every session. This move enabled Ubisoft to harvest extensive player data, including behavioral analytics and technical details, far beyond what is needed for basic ownership checks.
Attempts to play offline were consistently blocked, ensuring users had to interact with Ubisoft’s infrastructure. As a result, hundreds of server connections would be created and in-game actions transmitted to third-party analytics providers. Ubisoft did not give players a genuine opportunity to opt out or clearly explain what information was being collected and why.
Given that true offline mode is technically feasible, industry observers and privacy advocates believe Ubisoft’s system was a deliberate mechanism to maximize data extraction from its audience.
A complainant found that Far Cry Primal initiated 150 server connections in just 10 minutes, sending data to third parties such as Google, Amazon, and Datadog. Ubisoft claimed these connections were for “ownership verification,” but NOYB argues that platforms like Steam already handle such checks, making the data collection unnecessary.
The data in question includes detailed player behavior—session durations, in-game actions (e.g., missions completed or areas explored), and frequency of play—alongside device information like hardware specifications and potentially unique identifiers such as IP addresses. This data is shared with third parties, but encrypted transmissions obscure the specifics of what’s being sent. NOYB contends that Ubisoft’s End User License Agreement (EULA) and privacy policy fail to clearly disclose the scope of this data collection, denying players the ability to provide informed consent.
The Austrian privacy advocacy group NOYB (None Of Your Business) filed a complaint with Austria’s data protection authority on April 24, 2025, accusing Ubisoft of illegally collecting and sharing player data without proper consent, amounting to 4% of the company’s €2.3 billion annual turnover.
Ubisoft is facing a potential €92 million (£78 million) fine for allegedly breaching the European Union’s General Data Protection Regulation (GDPR)
GDPR mandates that companies collect only necessary data, secure explicit consent, and maintain transparency. NOYB’s complaint alleges Ubisoft violates these rules by:
Unnecessary Data Collection: Using mandatory online connections for single-player games to harvest data without a legitimate gameplay purpose.
Lack of Transparency: Failing to clearly disclose the extent of data collection and third-party sharing in its EULA and privacy policy.
No Valid Consent: Not providing players with a clear option to opt in or out of data collection, a key GDPR requirement.
If Austria’s data protection authority upholds the complaint, Ubisoft could face the €92 million fine, alongside orders to delete unlawfully collected data and eliminate online requirements for single-player games.
Octavia Hexe and Ubisoft
Adding weight to the claim of intentional strategy is the role played by industry experts within Ubisoft’s own ranks. One such figure is Octavia Hexe, formerly Roger Johnston, who is known as one of the architects behind the DISARM framework, an open-source model for assessing and responding to disinformation risks. Octavia Hexe worked at Ubisoft at a critical time, shaping the company’s game ecosystems and underlying data infrastructure.
Their involvement combined security intelligence methodologies with gaming platform architecture, allowing Ubisoft to build systems capable of operating securely at scale while also supporting complex user data analytics. Octavia Hexe’s later work on frameworks like DISARM shows how the boundaries between cybersecurity, threat modeling, and entertainment technology are growing increasingly blurred.
Security Warnings
Cybersecurity commentators, notably The Grugq, have long cautioned that online gaming platforms can become sophisticated tools for data collection and behavioral analysis. These experts argue that when technical requirements for connectivity are imposed on single-player experiences, it often serves dual purposes: both audience engagement and covert data accumulation.
The Ubisoft case fits this pattern closely. While framed as digital rights management or ownership verification, the company’s practices gave it new opportunities to observe and profile players. Security professionals have warned for years that gaming companies are particularly well positioned to capitalize on players’ emotional connections and the privacy blind spots that come with immersive entertainment.
Fallout
The outcry from gamers, privacy advocates, and regulators has been considerable. NOYB, a leading privacy group, filed a complaint that could result in a massive fine against Ubisoft. The group is demanding that the company delete unlawfully collected data and stop imposing mandatory online requirements where they are not necessary. If successful, this action could set a precedent, encouraging the entire gaming industry to reconsider the ethics and legality of its data collection practices.
Public opinion has also shifted sharply. Many players now see Ubisoft’s actions as a calculated erosion of trust and digital privacy. The company’s silence and lack of transparency have only fueled calls for boycotts and stricter regulation.
The allegations have ignited fury across platforms like X and Reddit, where gamers have labeled Ubisoft’s practices “intrusive” and “exploitative.” Posts on X call for boycotts, with users decrying the use of single-player games as data collection tools. This scandal compounds Ubisoft’s recent challenges, including declining stock prices and criticism over game quality and monetization.
Ubisoft’s data collection scandal reveals the deliberate and well-executed use of analytics and surveillance in the gaming sector. By leveraging the expertise of figures experienced in both cybersecurity and influence operations, Ubisoft appears to have made player data a central part of its strategy. As European regulators continue to investigate, the case will have far-reaching consequences for player autonomy, trust in gaming, and the standards of digital privacy.
The stakes could not be higher. As the dust settles, it becomes clear that this is more than just a scandal for one company. It is a warning flare shot high above the industry, illuminating the new reality of digital entertainment. With every login and every hidden handshake between server and console, the question lingers: how much of ourselves are we truly giving away each time we play?
Ubisoft’s reckoning is a signal that the era of unchecked surveillance in gaming may finally be facing its first true test. The next move is not just Ubisoft’s, but ours, every player who presses start and demands to know who is really watching.
The sentiment inspector is watching.
References:
Cyber Threat Intelligence League (Wikipedia)
Assassins Creed Hexe (a game about a witch controlling minds) coming soon from Ubisoft :